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The Problem 

• Software we do not understand and trust 

• Complex data formats 

• We are not supposed to understand 

• or we are not willing to understand 

• Massive exchange of documents in this 
complex formats. 

• Covert channels everywhere! 
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Who we are 



Cambridge Security Group - if you don't know 
them you must have been living under a rock. 

Laboratory for Dependable Distributed 
Systems at RWTH-Aachen University 

• Founded in late 2003 for theoretical & 
practical security research, topics include: 

• Security Education 

• Honeypot technology 

• Sensor Networks 

• Notable classes include "Hacker Seminar", 
"Hacker Praktikum", "Pen-Test Praktikum", 
"Aachen Summerschool applied IT- 
Security", "Computer Forensics" 

• http://mail-i4.informatik.rwth-aachen.de/ 
mailman/listinfo/lufgtalk/ 
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Agenda 



• The MS Office Document problem 

• Problems with PDFs 

• So go for simple formats? 

• pOrn! 

• Never trust a girl named .jpeg 
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The MS Office 
Document Problem 

Monsterous! 



Finder File Edit View Go Window Help 
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lrevcel.doc - Microsoft Word 
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next steps for North Sea taxation, the Government's approach would 
be guided not by short-term factors but by the need for a regime that 
raises a fair share of revenue and promotes long-term investment in the 
North Sea. In line with this commitment, the Government has now 
decided on the reforms it wishes to bring forward . 

It is widely recognised that the present North Sea fiscal regime does not 
strike the right balance between promoting investment and taking an 
adequate share of revenue derived from a national resource. ad e quat el y 
r e f le ct th e l arg e prof i ts d e r i v e d from th e e xp l o i tat i on of a nat i ona l 
r e sourc e and so has b e com e unsusta i nab le . To e nsur e th e nat i on 
obta i ns a fa i r shar e of th e prof i ts from th e e xp l o i tat i on of th e North S e a, 
Tthe Government has therefore decided to introduce from today a 
supplementary charge on profits from the production of oil and gas in the 
UK and on the UK Continental She|f (UKCS). The charge will apply at 10 
per ce nt, in addition to the standard co rporatio n tax rate of 30 per cent. 
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The Government wants to encourage long-term investment in the North 
Sea. From today, therefore, most capital investment in the North Sea 
will qualify for an immediate 100 per cent allowance against general 
corporation tax and the supplementary charge, rather than the 25 per 
cent allowance currently available. 
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Tools to investigate 

Antiword 

• Word 2, 6, 7, 97, 2000 and 2002 

• http://www.winfield.demon.nl/ 
catdoc & xls2csv 

• no support for OLE streams 

• http://www.45.free.net/~vitus/ice/catdoc/ 
word2x 

• http://word2x.sourceforge.net/ 
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Laola "is a collection of documentations and perl programs dealing 
with binary file formats of Windows program documents." 

Contains 

• Iclean - Laola Clean: "Saves the trash sections of e.g. Word 6, 
Word 7 or Excel documents to own files." 

• Idat -Laola Display Authress Title: "Lists author, title, creation 
date and some other information sticked in a laola file. Gets 
printer information from Excel and Word files." 

• lis - Laola List:"Lists the structure of a Laola document." 

• Elser - "password resolving, macro decoding". 
Development ceased for 5 years. 
http://www.cs.tu-berlin.de/^schwartz/pmh/index.html 
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wvWare 



used by abiword 




tested by kword ^P^^^ 

actively developed, but development lines 
are hard to understand: Word View, wv, 
wv2, wvWare ... 

Tools 

• wvText, wvHtml 

• wvSummary, wvVersion 



http://wvware.sourceforge.net/ 
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Word Dumper 
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Computer Bytes Man 



C O http://vww.CQmputerbvtestnan.com/ 




" Q- Google 




Bush v. Kerry: Rating the candidates on Web site 
security 



Privacy 

Word "bytes" Blair . Windows Media Player . 

Internet Ex plorer S u perC ook i e s . 

Web Bug Search Page . Data spills in 

banner ads . 

TfA. 1999 Archives 



Internet Security 

Bush v. Kerry. Rating the candidates on 
Web site security . 

Bill Gate's trustworthy computing memo an 
Response . 

Full Disclosure . Email . Dangerous ActiveX 
Controls . 

Browser Crashes . LoveBug Virus Archives 



The Computer Industry's Dirty 



Internet Sleuthing Resources 

Search Engines . Telephone Directories . 
Email Directories . Membership Directories . 
WHOIS . Public Companies . News Archives . 
Network Tools. Miscellaneous 



Biometrics 

Face scanning VeriChip 

The Anthrax Investigation 

j Articles . External resources . 9/11 articles . 
The Anthrax Conspiracy Theories Page . 
The Mohammed Atta in Prague FAQ 

Internet Programming 

JavaScript 
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Problems with PDFs 

A document exchange format is becoming a document 

editing format. 




PDF 



• Looks like an "open standard" ... 

• ... but very hard to decode in depth 

• Designed for document publishing 
distribution. 

• Very wide deployment 

• Adobe is pushing PDF as the default file 
format of their applications 

• The Problem of ^^^^^H/ redaction 
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Redacted Documents 

• Documents where the public has u a right to 
know" ... 

• ... but contain confidential or private 
information 

• Or documents a party is forced to hand 
over to another party 

• Typical classes of documents: 

• court documents 

• public files 
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Who is using redaction? 



• The "legal community" 

• Historians 

• Journalists 
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white text on white ground 



Docket N E-U 1 .145 A-0 J-043 7 Dlrecl Test imnii \ of D J t id A. Schlissil 

L 12. Numerous APS and PWEC planning studies from the years 1 993-2002 

2 indicac^d Lliui Lliu PWEC units were being built co facilitate, power sales to 

- areas outside Arizona, not primarily to serve APS load. 

4 13. | 

: : 
<■> 
7 

9 

]] 

12 ] 

13 14. The PWEC units were built in locations where ihey ciiuld serve APS Luads 

14 and supply p&\\vt to marked unhide Arizona. 



black text on black ground 



Following are the key findings of the study: 
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black boxes over text 



3. Liberty recommends [hat if the UARB decides to aphorize a FAM 3 then the 
UARD should examine very carefully tlu- isaitomt o f Hi-l- | 

| praeess to detenu mv dial llmcuikt ink-ruKCK have been adequately 

protected. 

black boxes over graphics 

SECRET 



VHI, "THE SltAH tS VECTORiaLTa" 



While on the lSth only | |had 
published the Imperial f 1 ruan naming Zahedi jls Prino- Minis- 
ter, on 19 Aujtunt, as noon as tho city was a*aka, aariy 
risers could see photostats or type-set copies of the 
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exported on its bohalf. Once the energy was delivered to COB, T ransAlta would 8. WAFA/MWD - Hoover 22 

either use its available transmission rights id schedule the energy lo Mid 
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Legal Redactio 



VIA AIRBORNE EXPRESS AND E-MAIL 
Siiigiiigfish 

Attn: xx\ (DMCA Notification) 
240] Hmaili Avenue, Suite 400 
Seattle. W A 98121 
Copy rig ht_is sue *M s 1 n gl n gf i sh jcom 

Dear xxxi 



QJO. What l& the index and adjustment of your first adjustment? 

A. My first adjus-tment is a reduction of • , based on updating the United States v&_ Canadian 
foreign exchange rate. 

Tikis is the Final RLi-porr pertaining eg the above-r-elereneed special education compliance 
complaint f 1 1 147 "'CunipbiriL') tompiled and submitted pursuant eg Admin. FL Mont. I0.16.36S2. 
* (the Complainant") allege? fhac the **++++ Public Schools (die "E>Ls.tricf ') did not 
implement the Complairuiut'H child's, **** (the "Student"), Individualized Educacion Program 
("IEP") "properly and in a Lm wiv manner." in particular the Complainanc allege* that the 



3. 30{bM6) depomion of Defendant regarding MUR 51 SI , [redacted], the 
enforce nieciE process, alternate dispuEe resoiuEion. Ehc Enibrcernent Priority Syatem s 
intenm^Eory Dispenses provided, and document produced: 



In July 2003, NSPI commissioned M to conduct a global coal 
supply basin survey. M recommended that NSPI should find ways to rodu&e ils dependonce 
on bolt, self-unloading vessels, and should develop the capability to unload goarless Panama* 
and Gapesize vassals. M recommended that NSPI would realize a significant reduction in 
freight cost given access to this much larger flact of standard gcarloss bulk carri&rs, wtiieti 
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PDF Scrubbing 



Sample.pdf 



HE 




Till b i ^ukii£ ■ 



Si>urLL" JJji- ^=1. W.iyiV.\ 7 j'nw.r.]3ixx' raiser LCL 1974. 



<]t> Q Page 3 of 20 q 100SB □ 8.5x11 in 



The Growing Threat to Information 
Systems Security 

hiJDTictiLliiHfc luutnjLjJi; hjry wihIs (iff lh\z Fuhrml Ciirwrnmcnl ux- 
LL^L-di^ii %2S t:a]l km 1 1 j ] W.^. Wi I Iilel i \s d viIimil ag^nciiiH, the 
C ii ^ eminent employed I 20.CHK3 information Uxbnolojy workers, 
liiiJ ■.iptratcd 25.000 medium and large majnframe computers and 
more than two mi 1 1 ion i ndi vidua! wort stations, 1 The department 
of IXHuilsi! Im* over Iwo nriLLiun aiccLfmleni, LO.CHK] ]chj»I ur^L 
networks, and 100 Inng-dislemre ntfwtirfcH. I he civilian wcltir has 
a critical responsibility to majntain privacy and services for the 
public using auiomaieddaia processing aud relying on ihe Kationul 
Information InfrasifLLaiire. Just as critical to the IX: pari mens of 
UufcnHU ik its iibiLhy hs Lurry out iiny [[u.shioii ihut in dcpuiuknL on 
inrormatLonc^iTii.xl ini jinl suppnruul h\ the Nil, Tf key responsi- 
bilities of both (he civilian and military sectors of governmenl are 
heavily dependent upon an. unsecured, potential ly unavailable 
Inwrnei, the GovumtiUHic must addrc^ w huthu this idiantx: on 
tlL-L- NL] (neuJ (rlt.i i ^ itutt'ptsiblc ucid, il ho, how lo muiULEL- risks 
involved. 



Notwi i hstandi n considerable: tfapendhuresoit information tochnol 
oey, 1 1'iLTi.' l:mkIh ;i YVHlcmmr cktKHL b^hvt^n Ihu hlil'li ncy 
r-L-^ui rcim-m* irf" nek 1 1 hi- pmtmim prnvicled fbrnndEuwlficd 
syslems gmyrnriipiU-tt i - II- .ml Miiim- .ipplicd to Ihc classified 

| III! | 
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PDF Scrubbing 



Sample.pdf 



HE 




Till b i ^ukii£ ■ 



S(b)(2)Hig hi . V Yrah-A- llm-mlax LCk 1974, 



l^^f^^^^o Information 
Systems Security 



Infornwtiim icLtuiohigy luihK dw Ifrc Fuhrml ( rm^nuiiuiU cx- 
ivl-.Ii'iI "'J" ■■:lliMii in r : , H: /. ^ iih :: iKlIv .1:1 icl'ik - L's.llk' 



C(k)(1)ramen1 c-mployeil I 20.CHK) inlormnUi™ Uvhiiiih^v ^orkcTK, 
and operated 25.000 medium and large majnframe computers and 
more than two mi 1 1 ion i ndi vidual wort: stations, ' The l>er>artineiit 



of IXHcilki: civci Iwa million ctiEELfULtLTtt, LO.CHK] ]cK;tl nhml 
networks, and 100 long-dlsianre networks. I he civilian wtior has 
a critical responsibility co majntain privacy and services for the 
public using auiomaied Lhua procnjssiii^ajid relying on ilw Kational 
II \\(b") Low [ni'i List i Uk.-i uif.l Junt as critical 10 the Dtpanmuni of 
UufcnHu ih its tiHlity to Lurry out iiny EEUHKiun ihut in dcfx^iul^nt on 
information csirriixl mum I i ip|"h ht.l-:i I h\ the Nil, Tf key responsi- 
bilities of both (he civilian and military sectors of governnienl are 
hcavi Lv duponduni upon an. unsocufijJ. potential I \ unai id ki hi l 



lr (d)(5), (b)(6), (b)(8), (b) 1 " 11 ^ ^ktKSx ■,',IH , Lhk:i th]S MiarKV OH 
tlL-L- Nil (;i[Ld UlLj iH i^yptabk sjckI, il hci, him 1o rriMELi.EC Ihc risks 
involved, 



Xb) (5) isUi hJj ii l l" h\ m dadiLi l'\]k:iuI mukm in i UK n iruti on LulIhl-: it ■ 



oey, IhLTeuMKLs ;i ^ iiIueiii]^ cJiilkeel IvIsvinni suLunEv 
rixjui rcim-m* irf" nek 1 1 hi- f jrcUiirLim pnn'icled for undEuwlficd 
sy slcmg gi ^ yi nn k: r l '.\ k k ■ . i r ■ I 1 Mom- . i ppl k'i.-. - o - h ;-■ i/l ; 1 1 ^ : 



<]t> Q Page 3 of 20 q 100SB □ 8.5x11 in 
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PDF Scrubbing 



Redacted 



HE 




Ki-jHkilb-il wilh pefnsissiiiNl of The fj?s Arties TTiwtvr. 



(jK2),(bX3) ; (b)(9MkK3)- 



]nJL>TEBLiLtMHl lLLtll]L Jd^)' CHlKlS llff lllL n FtCkTj] ( h hV-LTlLI I IU1LI 

ll^IljlI $25 tn] I Kici in ] 993. Wi I Iiiil i Ls i i viIiliil sL^i^ncitzK^ the 



of IXHuilsi! aver lu'd hilLLilmi cciccipiLUTtt, L 0.000 ]cH:ni UK"3L 
networks, and 100 long-dislanw nsflworks, The civilian Wtlor tuns 
a critical rcsponsibilky co mainLuin privacy and services for the 
public using auiomaitddaia prciuossiiip. und rclyinj! on ilw Kaiiomul 

fb)(2)l jOw Jusc lis criiieaJ m Ltit Dupatimiinr of 

JJl'Umhl: i k iK;ilnliU Lu i_;trrv out am [cushion Mint i ■-: ■: d i_" i □ l-: I ■_! □ l I on 
i 11 formation i%imi,\l im jml ^iip|niru^il In l.hc Nil, Tf kev rcspon&i- 
hi I i Li cs of both the ci vilian and mil itary sectors of jovcrnnocnl arc 
iLcavilv Jei^tideni upon an unsecured, powsniallv unavailable 
fdj(5). (b)(6), (b)(6), fb) 



fL>)(S» cxp^iidiciLms on infomiaiifrfiiodinol- 

otzv, I here Lixi kIh a sviduninjr tfumuL K"hv4XM] I he hlilluiIy 
rtvjiiinenR-nlstsfuiid ihir pmLmim pn^icled JbrimdEissLficd 



systems "pvcrnrncnl- n Sv.1l": j ih! I liosc fip 


>licJ lo (he clas&ilicJ 


<> 


D Page 3 of 20 
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□ 8.5 x 1 1 in 
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moving Redactions 



Methods 

• Very dependant on the amount of Adobe 
software you have at hand. 

• Copy black/white text on same ground 

• Copy text under black bars 

• Copy graphics under black bars 

• Remove overlaying graphics 

• Write your own tool 
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* Schlissel Testimony - Redacted.pdf 149 Pages} 
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12. i urujh ArS jnd PWEC plannLrty studies from the years I99H-20Q2 
[[tJicuEcd thai the PWEC unit* were buLny built eo facilitate pimi-r sales to 
areas oucside Adznna, nol primarily to serve APS load. 

13. I 



12 J 

13 14. The PWEC units weire built in luxation* where they could teive APS buds *■ 

14 itnJ suwlv puwtT io niarktcsi uuc^idu Armjrta. ^ 
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^ washpost_sniperletter.pdf 
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Sniper Instructs 
authorities to 
transfer 

SID million Into a 
Visa credit card 
account. The 
account belongs 
to a woman who 
re ported, the caid 

■■ I III' MM I 

California. The 
card was later 
used !□ Tacoma. 
Wash. 
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VIIT. " THE SHAH t S VICTORIOUS" 

the only ^^^^^^^^^^^^^^^^^J had 

published the Imperial f 1 rmin naming Zahedi as Prime Minis- 
tar i on 19 August t as soon as the city was awake t early 
risers could see photostats or type-set copies of the 
firman in the papers Setnreh Islam , Asia Javanan , Aram, 
Ma rd-l-As la , Mellat-i-Ha and the Journal de Tehran . The 
first four of these papers, and Shahed and Dajj in addition, 
ran an alleged interview with Zahedi which stressed that his 
government was the only legal one in existence — an interview 
that had been fabricated by j^^^^^^J Somewhat later in the 
morning 1 the first of many thousand broadsheets which carried 
a photostatic copy of the firman and the text of the Zahedi 
statement appeared on the streets. Although each of these 
newspapers had a normal circulation of restricted. size J the 
news they carried was undoubtedly flashed through the city by 
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File 
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Print Marked 
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Redisplay 



State 


Page 
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BBox 


washpost_sniperletter.p: 


2004/1 2/26 15:43:0^ 
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Coding your own 

• Strategy: 

• convert to Postscript 

• replace 'box' operators by NOOPs 

• (actually by poping the parameters to 
box into the bitbucket) 

• Problem: Real world postscript uses no 
boxes 
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Terminal - RedTeam@RWTH 



2204.84 5683.09 2.21 -63.26 1198.27 41.84 -2.21 63.26 -1198.27 -41.84 f* 
1299.72 5515.11 2.21 -63.26 340.15 11.88 a a f* 
1805 5374.75 2.21 -63.26 340.15 11.88 a a f* 
2375.79 5245.32 2.21 -63.26 489.41 17.09 A a f* 

2116.53 5081.14 2.21 -63.26 351.07 12.26 -2.21 63.26 -351.07 -12.26 f* 
1833.88 4950.36 3.29 -94.24 1179.92 41.2 a a f* 
2620.39 4798.75 2.21 -63.26 277.01 9.67 a a f* 
5772.52 6352.31 2.21 -63.26 527.48 -12.31 A a f* 
6151.04 8283.32 2.21 -63.26 705.89 19.75 a a f* 



/ A {3 index neg 3 index neg}! 

/f*{P eofill}! 

/!{bind def}bind def 

/P{N gt{N -2 roll moveto p}if}! 

/p{N 2 idiv{N -2 roll rlineto}repeat} ! 
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Works! 




% pdf2ps washpost_sniperletter.pdf\ 
wash post_s n i pe r I ette r. ps 

% perl -npe 's/ f\*$//;' \ 
< washpost_sniperletter.ps \ 
> washpost_sniperletter-\ 
unredacted.ps 
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Miserable Failure 




% pdf2ps 1 .pdf 1 .ps 



% perl -npe \ 

's/ A \d+ \d+ \d{3, 1 0} \d+ rf$//' \ 
< 01 .ps > 01 -unredacted.ps 
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So go for simple 

formats? 

pie things are easy to understand, aren't th 



Plain Text Formates bite 

• Mail/News headers 

• Signatures 

• Configuration files 

• HTML 

• META, Comments 

<img src="c:\...\Jon Doe\My Documents\coolpix.jpg"> 
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View Go Window Help 
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Frohes Weihnachtsfest 



Fr om : P rof . D r. Tho mas Hoe re n<Hoe re n @ u n i-m Lie nste r.de> 
S u bjecl: Frohe s We i h n a c htsfe si 

Date: 23. Dezember 2004 16.37.07 MEZ 
To: quickl in ks-owner@egroups.com . David Rosenthal <rosenthal@insider.ch> , 
peters-herrdum@phsanwaelte.de , www.klages@klages-berlin.de , 
Prof. Dr. Thomas Hoe re n <hoeren@uni-muenster.de> , 
S n ke Sc h rde r <jfi sc so @ nd s . rz. u n i-je n a .de> . And re a s . Fra n ke @e rnst-yo ung.de, 
L-Soft list server at GMD (1 .Bd) <L.ISTSERV@LISTSERV.GMD.DE> . 
Mail Delivery System <MAILER-DAEMON@uni-muenster.de> , wipr-l@bna.com . 
fidele ndeshyo <fidele.ndeshyo@fundp.ac.be> , ruse@uni-muenster.de , 
Fischer Dieter <Dieter. Fischer® icn. Siemens. de> , dekan03@uni-muenster.de . 
Arthur Walden be rger <a .wald@vdz.de> , johannes.paul <fortunamedien@t-online.de> , 
Mller. U If <UM@ Pie pen brock- Schuster.de> , owner-urhge-2000@urheberrecht.org , 
B e ate L a m b rec ht <B e ate . La m b recht@ stud . u n i-goetti nge n .de> , 
C h ri sti a n Boec ke r <c. boecke r@ km k.o rg> , 
Prof. Dr. Klaus Peter Be rger, LL.M. <kpberger@netcologne.de> , 
NET-LAWYERS@PEACH.EASE.LS0FT.COM . 
Cornelia Holsten <co n n i . ho Iste n @g mx.de> , zhoulin@ht.rol.cn.net , 
C u nd iff , Fred <fcu nd iff @ netso l.com>, KaiKruger@t-online.de. 
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% curl -q http://www.affordablehairtransplants.com/robots.txt 
<?php 

header("Content-type: text/plain"); 

if (strstr($_SERVER["HTTP_USER_AGENT"],"lurp")) print "User- 
Agent: Slurp\nDisallow: /"; 

?> 



r 



riaximiinan uornsen • LaDoratory tor uepenaaDie uistnoutea systems 



if mi in 



rls named .jpeg 




The techtv moderator 

incident 




Moderator adds picture to her 
weblog 

People download it, archive it, view it with 
image browser 

Picture was cropped, thumbnail remains 
uncropped 

Male teenage geeks get totally mad 
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How did it happen? 



• Software glitch? 

• Widespread? 

• Desired behavior? 
• ... actually it is. 
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EXIF 

• JPEG works surprisingly fell considering 
that there is such e wide variety of JPEG 
standards and implementations. 

• EXIF is the standard way to store headers 

• Applications usually are leaving unknown 
EXIF headers (thumbnails?) untouched. 

• So we expect the problem to be quite 
widespread. 
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JPEG 
JPEG 
JPEG 
JPEG 
JPEG 
JPEG 



image 
image 
image 
image 
image 
image 



data 
data 
data 
data 
data 
data 



EXIF standard 0.73 

EXIF standard 0.77 

EXIF standard 0.77 

JFIF standard 1.01 

JFIF standard 1.01 

JFIF standard 1.02 



10752 x 2048 
"AppleMark", 42 x 
42 x 

aspect ratio, lxl 
resolution (DPI), 180 x 180 
resolution (DPI), 150 x 150 



r 
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Experimental Setup 

• Get as many images as possible from the 
Internet 

• Compare thumbnails to images 
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Spidering the Web 



• We use a patched Version of Niels' Provos* 
crawl-0.4. Modifications: 

• Do not overload filesystem with 100.000 
entries in a directory 

• Keep HTTP headers for fingerprinting 

• See http://c0re.23.nu/c0de/misc/crawl-*. patch 
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Comparing Images 

• We need a way to find among a million 
pictures the ones with a substantial 
difference between thumbnail and image. 

• Steven J. Murdoch found a Way for doing so 

• compare image proportion 

• compare image contents 

• analysis 
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cgggy Image Proportion 

Scale both dimensions of the full size image equally, 
so that the larger dimension of the full size image is 
equal to the larger dimension of the thumbnail 

Compare the smaller dimension of the scaled full 
size image to the smaller dimension of the 
thumbnail 

The difference should be but, if the generator used 
a different rounding technique, it could be +/- I 

Repeat for the full size image rotated 90 degrees, 
and choose the minimum 
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Image Content 



Scale the full size image to the size of the 
thumbnail 

Use "nearest" interpolation method for 
speed 

Subtract one image from the other, and 
calculate to root-mean-squared 

If the ratio was closer with the swapped 
dimensions then do this for 90 degree 
rotation (clockwise and anti-clockwise) and 
choose the minimum 
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Analysis 



• Use GNU R to find a suitable criteria on ratio and 
RMS difference 

• Pick a random sample, check manually and 
compare histograms 

• Output full size image and scaled thumbnail side- 
by-side, for comparison 
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Analysis 



• Filter out false positives manually, mainly due to: 

• Images with sharp edges cause phase difference 
in scaled image because of "nearest" 
interpolation, and so increases RMS difference 

• Images where thumbnail has been padded to a 
fixed ratio, different from that of the full size 



image 



Maximillian Dornseif • Laboratory for Dependable Distributed Systems 



rwth 



Terminal - RedTeam@RWTH 



% sh process. sh 

372105 files in 7073s processed (0.019s per image), 69603 thumbnails found (18.7%) 
processing in 1 ./results. data 1 , writing output to 1 ./flagged. data 1 

372105 files processed, 6441 found interesting(1.7%) out of 69603 with thumbnails (9.3%) 



ca. 19% of the images have thumbnails 
ca. 9% of the thumbnails are "interesting" 
how screen ca. thousands of images? 



r 



riaximiinan uornsen • LaDoratory tor uepenaaDie uistnoutea systems 



if mi in 



Finder File Edit View Go Window Help 



H Q demo 





Demo: Differences between JPEG Images and their EXIF Thumbnails 






* ll«l 


O http: //sauna. 5711.org /-md/thumbnails f 




Google 


LIJ Python 


News t blogs * B! W! bmllT cOOl miscT LuFG post to del. idem s Post with Mars Edit 


Tiny! 


Bloglines recherche y 



Demo: Differences between JPEG 
Images and their EXIF Thumbn 



The Image 

Comparing the thumbnail to the image ... 

No visible Differences ^ - ? Baring^ ( Worth a loolO f Interesting ^ f A must seeO - f Completely different Images '• 
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What did we find? 



• Completely unrelated images 

• Cropping 

• People removing their friends 

• Stolen Images 

• Privacy violations 
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Removing Frien 



Stolen Images 



Identity Hiding 



Photoshopping 



Unrelated Images 




0.00. 09.94 



0.07. 76.32 




Cropping 
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• Scalable Exploitation of, and Responses to 
Information Leakage Through Hidden Data in 
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• http://www.user-agent.org/word_docs.pdf 
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